Now, there’s a new chapter in the ongoing parade of bad news for internet-connected devices. This time, it revolves around a series of cardiac implants and monitoring devices that are monitored by the Merlin.net Patient Care Network.
Researchers recently released a series of Youtube videos outlining in details the means by which hackers could take control of the monitoring equipment and either turn it off, or deliver a defibrillation charge to a patient who didn’t need one, essentially shocking their heart at-will. Worse, the hacker could opt to leave the defibrillator running, essentially giving the patient a continuous, ongoing shock until death occurred.
St. Jude Medical Center, which relies heavily on the Merlin service, flatly denies that the attack is possible, and insists that it is a publicity stunt designed to damage the company’s stock price. The evidence presented by the video, however, is both clear and compelling.
An investigation is currently underway, and lawsuits have been filed, so it will likely be some time before the full truth comes out, but one thing we know for certain.
So-called “smart” devices are notoriously bad when it comes to digital security. We’ve seen too many high profile cases in which significant damage has been done for no other reason than the fact that equipment manufacturers can’t be bothered to put reasonable security measures in place on the equipment they sell. This isn’t the first time a medical device has been identified as containing critical security flaws.
If you have been issued a cardiac monitoring device that relies on the Merlin.net monitoring service, beware. There is not, as of yet, a fix of any kind that will prevent this hack.